G1024 Ransomwareour call,
not MITRE’s ATT&CK Group

Akira

How MITRE ATT&CK characterizes this group¹: Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to…

Origin / sponsor: not established from a curated public advisory — see Coverage & confidence. Not asserted here.

Also tracked as: GOLD SAHARA PUNK SPIDER Howling Scorpius — ATT&CK group page¹

Read this as · tier is our editorial call, not MITRE’s

Read as a crew that turns access into an outage.

A ransomware classification means the path is funded to reach disruption and extortion — encryption, data theft for leverage, and downtime. Exposure here is a business-continuity problem, not just a patch ticket. All tradecraft below is sourced to MITRE ATT&CK.

Techniques

ATT&CK count¹

Named tools / malware

ATT&CK count²

Attributed campaigns

ATT&CK count¹

Tactics spanned

ATT&CK count¹

coverage gap

Activity bounds

no attributed campaign

Known for

— signature moves, each sourced to ATT&CK

ArsenalNamed tooling. ATT&CK attributes 8 tools/malware to this group, including Mimikatz, PsExec, LaZagne, AdFind.²⁰

ReachFurthest outcome. This actor's cited tradecraft reaches as far as outcome 5 — Lights out — disruption & extortion. (editorial mapping over ATT&CK tactics).

Tradecraft heatmap

— ATT&CK techniques mapped onto the five attacker-outcome narratives

Each row is a documented technique (MITRE ATT&CK). Each column is one of the five attacker-outcome narratives a defender funds against. A filled cell means this technique’s own ATT&CK tactic defensibly advances that outcome. The mapping of technique→outcome is our editorial alignment over ATT&CK's tactic data, not a separately-sourced MITRE edge. A filled cell means one of the technique's own ATT&CK tactics defensibly advances that outcome; enabler tactics (C2, Defense Evasion, Discovery) heat no column.

1Front door

2Keys to the kingdom

3Lateral reach

4Data at risk

5Lights out

T1018 Remote System DiscoveryDiscovery

T1021.001 Remote Desktop ProtocolLateral Movement

●

T1027.001 Binary PaddingDefense Evasion

T1036.005 Match Legitimate Resource Name or LocationDefense Evasion

T1059.001 PowerShellExecution

●

T1078 Valid AccountsInitial Access / Persistence / Privilege Escalation / Defense Evasion

●

T1133 External Remote ServicesInitial Access / Persistence

●

T1213.002 SharepointCollection

●

T1219 Remote Access ToolsCommand & Control

T1482 Domain Trust DiscoveryDiscovery

T1486 Data Encrypted for ImpactImpact

●

T1531 Account Access RemovalImpact

●

T1558 Steal or Forge Kerberos TicketsCredential Access

●

T1560.001 Archive via UtilityCollection

●

T1562.001 Disable or Modify ToolsDefense Evasion

T1567.002 Exfiltration to Cloud StorageExfiltration

●

T1657 Financial TheftImpact

●

Reach: this actor’s cited techniques light columns 1·2·3·4·5 — furthest is 5 · Lights out. (furthest-position idiom, reused from the landing map).

A dot = this technique advances that outcome

Editorial: the technique→outcome alignment is our call over ATT&CK’s tactic data, not a separately-sourced MITRE edge — same basis the landing page declares. Enabler tactics (C2, defense evasion, discovery) heat no column.¹

Arsenal

— named tools & malware ATT&CK attributes to this group

MimikatzS0002 · Tool

PsExecS0029 · Tool

LaZagneS0349 · Tool

AdFindS0552 · Tool

RcloneS1040 · Tool

AkiraS1129 · Malware

MegazordS1191 · Malware

ATT&CK S1191 ↗

Akira _v2S1194 · Malware

ATT&CK S1194 ↗

Campaign highlights

— attributed operations in the ATT&CK record

No attributed campaigns — coverage gap

Stated, not hidden

ATT&CK lists no first-class campaign object for G1024 at this snapshot. Public reporting may tie this actor to operations; those enter only with a named advisory under the same cite-or-die rule.

Latest activity

— with explicit confidence, and what we cannot yet claim

ATT&CK
snapshot

The most recent cited activity in this card is the ATT&CK record itself. We do not paste a “last seen this week” line we cannot source. Recency from secondary reporting appears here only when attached to a named advisory.

ATT&CK snapshot, compiled 2026-06-22Coverage gap — live “currently active” status not asserted

CVE ↔ actor bridge — Known exploits / Linked CVEs every link below traces to a named source; tier is explicit

Known exploits — confirmed by named advisory 2 CVE(s)

CVE-2020-3259 →

The #StopRansomware joint advisory AA24-109A reports that Akira ransomware affiliates gain initial access through Cisco VPN appliances lacking MFA, naming the group and the Cisco ASA/FTD CVEs they exploit to do so.

CISA AA24-109A — names this group + CVE ↗

CVE-2023-20269 →

CISA AA24-109A — names this group + CVE ↗

Coverage & confidence

— what we know, and what we don’t

Established (cited)

Group identity, aliases, description — MITRE ATT&CK group page

17 techniques — ATT&CK technique pages (linked per row)

8 software (arsenal) — ATT&CK software pages

7 third-party research citations — ATT&CK external references

Coverage gaps — stated, not hidden

Origin/sponsor not established from a curated public advisory. ATT&CK prose may imply attribution but is not asserted here — absence of a curated source is a coverage finding, not a clean bill of attribution.

Threat tier is OUR editorial classification (rule-based), not a MITRE field — labeled as such.

Technique → outcome heatmap is editorial alignment over ATT&CK tactic data, not a separately-sourced MITRE edge.

Activity bounds are a floor from attributed-campaign dates only — flagged approx., not a true active-since range.

ATT&CK has no first-class group→CVE relationship; this card asserts no specific CVE without a named advisory.

No attributed ATT&CK campaign object — activity bounds cannot be established.